Hacking the Linux Desktop

Editor's note: Modifying stuff to suit individual desire is the credo of hackers everywhere. These two excerpts from Linux Desktop Hacks let you modify Linux to suit your desires: control how you access your own desktop, and how users access theirs. (And check back here next week for two more hacks from the book--the first on viewing Microsoft Word documents in a terminal, the second on creating an internet phone.)

Access Windows and Mac OS X from Linux

No need to move to another computer; just sit
put and access them all.

Although you don't need to go
far to hear someone extolling the
benefits of Linux and free software, many people still need to use
other operating systems, such as Microsoft Windows and Apple Mac OS
X. Aside from personal choice, other reasons to use non-Linux
operating systems include running applications that are available
only on a particular OS, an employer mandating that you use a
particular platform, or even a need to test software and services
across different platforms. For some, the solution is a huge desk set
up to accommodate three computers with three monitors and three
keyboards/mice; however, there is a better way.

This hack uses a piece of software called Virtual Network
Computer (VNC). This useful little tool allows you to essentially
redirect your monitor output to another computer on a network, and
accept keyboard and mouse input from the remote computer. With this
software you can run the VNC server on a Windows machine
and view the Windows desktop on your Linux machine. Likewise, you can
run the VNC server on your Linux machine and view your Linux desktop
on a Windows-based desktop. VNC is available for most Unix-based
OSes, such as Linux, FreeBSD, Solaris, etc., as well as Microsoft
Windows and Mac OS X. VNC gives you the ability to pull together
these disparate operating systems on a single desktop.

Configure a Linux VNC Server

VNC comes in a few different guises, but most attention is focused on
the RealVNC and TightVNC variants. Of the two versions, TightVNC
appears to be the better performer and you can get it from
http://www.tightvnc.com/download.html. A
number of different packages are available for the supported
platforms, and you need both the server (to provide a VNC resource to
connect to) and the viewer (to connect to another VNC resource). You
should be able to install a recent version of TightVNC using your
distributions package manager.

To run a VNC server on Linux you must launch the server and give it a
special display number to connect to. This usually starts at
1 and increases by one for each new server
created. As an example, if you run a VNC server on a machine with the
address 192.168.0.2, you would access the first
VNC resource as 192.168.0.2:1. To run the server,
specify the screen resolution and color depth with the
-geometry and -depth
command-line options:

foo@bar:~$ vncserver -geometry 1024x768 -depth 24

These settings are parameters for your virtual screen, not the real
settings of the machine you are running the server on. This means the
physical screen might be displaying an image at 1280x1024 in 8-bit
color, but you can view it remotely at 1024x768 in 24-bit color. Of
course, the machine you are viewing the image on must support your
choices.

TIP:
You can specify a nonstandard resolution--for instance, 990x745.
Doing this allows you to maximize the size of the remote image on
your desktop without obscuring your local desktop's
toolbars and panels.

When you first run the server, you are prompted for a password. This
password is used to ensure that clients are who they say they are,
and the password is stored and remains the same each time you use the
VNC server (you can change the password later with
vncpasswd if you need to). When the password is
successfully entered, the server indicates which display number it
has been given.

While the server is running, all applications that are used appear on
the VNC display as well as the normal screen on the computer (if a
monitor is attached). You can also route applications to display only
on the VNC server by using the DISPLAY environment
variable and specifying the hostname and display number:

foo@bar:~$ mozilla -display 192.168.0.2:1 &

To stop the VNC server, you need to use the -kill
option and the display number assigned earlier when you started the
server:

foo@bar:~$ vncserver -kill :1

Connect to a VNC Server

To connect to the VNC
server from a Linux machine, you can use the
vncviewer tool that is included with the VNC
software. This simple little program is used like this:

foo@bar:~$ vncviewer 192.168.0.2:1

In this command, you specify the IP address, a colon
(:), and then the display number to connect to.
When you run the command, you are prompted for the VNC server
password and then the VNC desktop is displayed.

Configure a Windows VNC Server

Installing the Windows VNC
server is a
fairly painless process. Once installed, it can be configured as a
Windows Service so that it is always running (like a daemon in
Linux). The benefit of running the server as a service is that you
will still be able to access the server when the machine is locked or
the user has logged out.

Download the Windows installer from the TightVNC web site. It is a
typical Windows installer that offers no surprises.

To use the VNC server as a service, tick each box that refers to the
VNC Server System Service in the VNC installation routine. When you
have done this, the Server Options dialog box will appear, and you
must configure at least the Authentication tab to run the server. In
this tab, you should select the VNC 3.3 Authentication option and use
the Set Password field to define the password for the server. You
should never disable authentication unless you are 100% sure the host
network is secure.

To start and stop your server, use the standard Windows Services
configuration tool to start and stop the service.

Configure a Mac OS X VNC Server

The official VNC distribution
does not include support
for Mac OS X; however, a VNC server is freely available from Redstone
Software (http://www.redstonesoftware.com/vnc.html),
called OSXvnc. This software is available as a Mac OS X disk image
file (.dmg). Download the software and then
double-click it in the Finder. A window will pop up with the program
inside it; drag the program to the desktop. Now if you double-click
the icon on the desktop, the VNC Settings dialog will appear. For a
quick and easy VNC connection, the defaults are fine, and you can
just click the Start Server button to begin the connection.

View Your Desktop in a Web Browser

One intriguing feature of
the VNC server is that it includes a small
web server that exports the VNC desktop to a browser using a special
Java applet. To access your VNC server, connect to port
5801 with a Java-enabled web browser. This port
number is appended to the hostname/IP address in the same way as a
normal web resource:

http://foo.com:5801

This port number actually maps to the VNC display you are running. If
you are running display number 1, use port
5801; display number 2 is port
5802, etc.

When you are running any server on the Internet, you should take
steps to ensure that it is protected with a firewall. A firewall
keeps all unwanted traffic away from your server. If you are running
a firewall already, you should ensure that ports 5800-5805 are
available for use. If you want to be extra secure, only open port
5801 for use and make sure you always run off desktop number 1.
Another option is to encrypt your VNC connection with an SSH tunnel
[Hack #32] .

Lock Down KDE with Kiosk Mode

Control exactly what your users can tinker
with, and what they can't change at all.

System administrators typically
spend a lot of their time fixing trivial
problems for users who have accidentally changed their settings in
some way. When an inexperienced user moves a desktop icon into the
trash or sets a mime-type to open with the wrong program, he might be
unable to reverse his changes. Calls to the system administrator for
help are a poor use of everyone's time. It would be
better if the user had never been able to make undesirable changes.

Perhaps you just want to set up a Linux desktop for your grandmother
but she keeps changing the layout of the application toolbars without
meaning to. The new look confuses her so much that she calls you all
the time asking for help, or worse, she gives up on Linux or
computers. Wouldn't it be great if you could protect
your grandmother from herself?

For computers in a public setting such as an Internet café
or library, problems such as these turn into more than just
timewasters; they can prevent others from using the machine or cause
distress for users. Have you heard the common anecdote of the script
kiddy who has changed the background wallpaper on all the machines in
a library to pornographic photos?

Enter the Kiosk

KDE has traditionally been one of the most configurable desktop
environments available, but KDE 3.2.3 pushed the fold and added the
Kiosk framework, which allows for any or all of the configuration
options to be marked as unchangeable. With Kiosk you can create
profiles that are attached to users or groups of users. A profile can
define any KDE setting, but usually includes the contents of the
desktop, panel, and K Menus, as well as the choice of wallpaper,
default fonts, and widget style. You can also specify important
system settings, such as the network proxy and file associations.
Most importantly, all these options can be set to be unchangeable by
the user. This means grandma will never accidentally delete her web
browser icon, and a bored teenager can't change the
library's computer wallpaper to something that will
give grandma a heart attack.

The easiest way to set up a Kiosk profile is to use the Kiosk Admin
Tool. Some distributions include this by default or include a package
for it. If you need to, you can download the source from its web site
at http://extragear.kde.org/apps/kiosktool.php.

Start the Kiosk tool (as a normal user; there's no
need to run as root) by selecting
K-menu→System→Kiosk Admin Tool, or with the
kiosktool command, and click Add New Profile. Give
this profile a name such as
"locked-down" and click OK to save.
When prompted, provide your root password to save the new profile.
Now click Manage Users and add a user policy to link a user to your
new locked-down profile. You can also add Linux user groups to the
policy. The Kiosk tool links to /etc/group,
which is where you should manage group membership. To configure a
profile, select it in the list and then click Next. The next screen
presents numerous modules, each with specific configuration options
in it. Ticking an option will lock down its corresponding feature.
The settings will be saved when you click Back.

Some of the modules offer graphical setup for their settings. For
example, under the Desktop Icons module you can load a temporary
desktop to replace your normal one. Switch to a different virtual
desktop (Ctrl-F2) if you have windows covering your background. You
can add, remove, and move any of the icons on the temporary desktop.
When you click Save in Kiosk Admin Tool, the settings for this
desktop will be saved and your normal desktop will be loaded again.
This makes configuring the setup for your Kiosk profile as easy as
configuring your own desktop.

A general breakdown of the types of settings you will find in the
most important modules follows:

General

Contains the settings that control the global properties for all KDE
programs and includes the ability to run commands, log out, or move
toolbars. Disabling Konsole removes not only its entry from the K
Menu, but also the embedded Konsoles in Konqueror and Kate.

Turns off standard menu actions such as open, print, paste, settings,
etc., from all KDE applications.

File Associations

Ensures that files can be opened only with the specified programs.

Network Proxy

Enforces the use of your web proxy. Uses a web proxy to restrict
which web sites a user can browse.

Panel

Used to lock down the panel, prevents users from adding or removing
the items you place here, and enables you to prevent panel context
menus from working.

The Kiosk framework has been used in large enterprise deployments of
KDE. Administrators report that it cuts the time taken up by user
support by half, because it reduces the number of small but
time-consuming problems users have. If you are considering using
Kiosk in a public setting you might want to make yourself familiar
with the KDE configuration file format. Browse through
/etc/kde-profile to see the settings made by the
Kiosk Admin Tool. Adding [$i] to a configuration
option, group of options, or file makes them unchangeable by users.

Kiosk is not a substitute for using Unix filesystem permissions or
other security settings. You should also make sure you set X to not
be killable with Ctrl-Alt-Backspace, and prevent users from changing
to a text console. Finally, make sure the login manager does not
allow users to log in to any other desktop environment that has not
been locked down.